The question is whether having the machine account password and access to that system gives you any ability to impersonate users or elevate your access to other systems. Presumably, if you could get into the protected store, you could compromise any locally cached tickets for other users to specific services on remote systems. This is perhaps non-trivial on Windows systems, but becomes a lot easier when you are root on a *nix system that is using Kerberos against AD. Sticking just to Windows, could you conceivably forge new tickets to remote resources as an arbitrary user? That would be the rationale for attacking the computer account rather than a user account. More bang for the buck.
On 1/8/07, Al Mulnick <[EMAIL PROTECTED]> wrote:
I haven't tried it, but I would have assumed (I know, I know) that if somebody *could* gain the computer account password: 1) you have much bigger issues 2) they would have access to a machine. See #1 3) they would have access to anything that authenticated users have access to. See #1 4) they know enough about your systems to mount a pretty good attack. See #1 IIRC, machine accounts can get old for various but legitimate reasons. Consider a laptop that hasn't been back on your trusted network for over 30 days. It would have an old password, but it may be legitimate and may come back to your network in the next 60 and would be able to synchronize it's password changes then. You really have to protect the source of the machine account password which is random and is not readily available. Do you have a way to get the machine account passwords? If so, why? And if you have them, why don't you just go after the user passwords? On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote: > > What are the risks associated with the exposure of machine account > passwords in Active Directory? Passwords are changed for machine accounts > regularly, but they don't really expire and can get rather old. If an > attacker has access to this password, what sort of access would he have to > other systems on the network via Kerberos? i.e., would he be able to > forge service tickets as other users and elevate his access elsewhere? The > laxness of policy surrounding these accounts suggests that this is not a > huge risk. Should we be more concerned with these old passwords? > > Otis >
